netd.te - OpenGrok cross reference for /system/sepolicy/prebuilts/api/28.0/public/netd.te

Lines Matching refs:netd
2 type netd, domain, mlstrustedsubject;
5 net_domain(netd)
6 # in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
7 allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
9 r_dir_file(netd, cgroup)
11 allow netd system_server:fd use;
13 allow netd self:global_capability_class_set { net_admin net_raw kill };
19 # for netd to operate.
20 dontaudit netd self:global_capability_class_set fsetid;
22 allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
23 allow netd self:netlink_route_socket nlmsg_write;
24 allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
25 allow netd self:netlink_socket create_socket_perms_no_ioctl;
26 allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
27 allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
28 allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
29 allow netd shell_exec:file rx_file_perms;
30 allow netd system_file:file x_file_perms;
31 not_full_treble(`allow netd vendor_file:file x_file_perms;')
32 allow netd devpts:chr_file rw_file_perms;
35 allow netd system_file:file lock;
37 # Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have
40 allow netd qtaguid_proc:file rw_file_perms;
41 # Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
42 allow netd qtaguid_device:chr_file r_file_perms;
44 r_dir_file(netd, proc_net)
46 allow netd proc_net:file rw_file_perms;
49 allow netd sysfs:dir r_dir_perms;
50 r_dir_file(netd, sysfs_net)
53 allow netd sysfs_net:file w_file_perms;
56 allow netd sysfs_usb:file write;
58 allow netd fs_bpf:dir  create_dir_perms;
59 allow netd fs_bpf:file create_file_perms;
61 # TODO: netd previously thought it needed these permissions to do WiFi related
64 allow netd self:global_capability_class_set { dac_override chown };
67 allow netd net_data_file:file create_file_perms;
68 allow netd net_data_file:dir rw_dir_perms;
69 allow netd self:global_capability_class_set fowner;
72 allow netd system_file:file lock;
74 # Allow netd to spawn dnsmasq in it's own domain
75 allow netd dnsmasq:process signal;
77 # Allow netd to start clatd in its own domain
78 allow netd clatd:process signal;
80 set_prop(netd, ctl_mdnsd_prop)
81 set_prop(netd, netd_stable_secret_prop)
83 # Allow netd to publish a binder service and make binder calls.
84 binder_use(netd)
85 add_service(netd, netd_service)
86 allow netd dumpstate:fifo_file  { getattr write };
88 # Allow netd to call into the system server so it can check permissions.
89 allow netd system_server:binder call;
90 allow netd permission_service:service_manager find;
92 # Allow netd to talk to the framework service which collects netd events.
93 allow netd netd_listener_service:service_manager find;
95 # Allow netd to operate on sockets that are passed to it.
96 allow netd netdomain:{
102 allow netd netdomain:fd use;
104 # give netd permission to read and write netlink xfrm
105 allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
107 # give netd permission to use eBPF functionalities
108 allow netd self:bpf { map_create map_read map_write };
110 # Allow netd to register as hal server.
111 add_hwservice(netd, system_net_netd_hwservice)
112 hwbinder_use(netd)
113 get_prop(netd, hwservicemanager_prop)
118 ### netd should NEVER do any of this
121 neverallow netd dev_type:blk_file { read write };
124 neverallow netd { domain }:process ptrace;
127 neverallow netd system_file:dir_file_class_set write;
130 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
132 # only system_server and dumpstate may find netd service
133 neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
135 # only netd can create the bpf maps
136 neverallow { domain -netd } netd:bpf { map_create };
138 # apps may not interact with netd over binder.
139 neverallow appdomain netd:binder call;
140 neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
142 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
144 neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
146 # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
147 # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
148 neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;